Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed over the summer.

Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol.
BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible. [...]

In a research project at Purdue University, a team of seven academics set out to investigate a section of the BLE protocol that plays a crucial role in day-to-day BLE operations but has rarely been analyzed for security issues.

Their work focused on the "reconnection" process. This operation takes place after two BLE devices (the client and server) have authenticated each other during the pairing operation.
Additional details about the BLESA attack are available in a paper titled "BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy" [PDF, PDF]. The paper was presented at the USENIX WOOT 2020 conference in August.